Summary
The DC-API ingress resource (kubernetes_ingress_v1.dc_api) in modules/management/dc-controlplane-services/main.tf currently exposes dcapi_hostname over plain HTTP with no TLS termination. TLS termination was intentionally deferred as this endpoint is internal-only (management network), but should be added before any broader exposure.
Work Required
- Wire cert-manager into the
dcapi-controlplane-rke2 cluster (Issuer/ClusterIssuer)
- Add a
tls block to kubernetes_ingress_v1.dc_api referencing a cert-manager-issued or pre-created TLS secret for var.dcapi_hostname
- Update
outputs.tf to expose the DC-API URL as https:// once TLS is in place
- Ensure the TLS secret name aligns with the cert-manager Certificate resource or pre-provisioned secret
References
/cc @HiranAdikari
Summary
The DC-API ingress resource (
kubernetes_ingress_v1.dc_api) inmodules/management/dc-controlplane-services/main.tfcurrently exposesdcapi_hostnameover plain HTTP with no TLS termination. TLS termination was intentionally deferred as this endpoint is internal-only (management network), but should be added before any broader exposure.Work Required
dcapi-controlplane-rke2cluster (Issuer/ClusterIssuer)tlsblock tokubernetes_ingress_v1.dc_apireferencing a cert-manager-issued or pre-created TLS secret forvar.dcapi_hostnameoutputs.tfto expose the DC-API URL ashttps://once TLS is in placeReferences
/cc @HiranAdikari